Privacy Policy

Last updated: 22-06-2026

1. Who we are

REPONA (the "Service") is operated by Zorg by Blue, a sole proprietorship (eenmanszaak) registered with the Dutch Chamber of Commerce (KvK) under number 85507636, based in the Netherlands ("REPONA", "we", "us", "our").

For the purposes of the EU General Data Protection Regulation (GDPR), Zorg by Blue is the data controller for personal data processed through the Service.

You can contact us at any time about this policy or your personal data at hello@repona.ai.

2. Scope

This policy describes how we collect, use, store, share and protect personal data when you visit repona.ai, create an account, use the Service's features, or otherwise interact with REPONA.

A note on how REPONA is built: most of what you create in REPONA, your prompts and your collection, is stored only in your own browser, not on our servers. This policy explains the limited personal data we do hold and what happens to it.

3. Personal data we collect

We collect a deliberately small amount of personal data:

• Account data. Your email address, and, if you sign up with an email and password, an encrypted (hashed) password. If you sign in with Google, we receive a standard authentication identifier from Google instead of a password. This is handled by our authentication provider (see Section 5).
• Subscription data. Your plan (free, Starter or Pro), your subscription status, your credit balances, and the customer and subscription identifiers created by our payment provider. Your card details are collected and stored by Stripe; we never see or store your card number.
• Usage metering. For each AI action you run, we store a record containing the feature used, which AI model handled it, the number of tokens processed, the cost, and a timestamp. These records contain no prompt content, only counts and cost.

We do not collect your name, your address, your IP address for tracking purposes, device identifiers, or any advertising data. We run no analytics or tracking of any kind.

4. Your prompts and content

The prompts, titles and collections you create in REPONA are stored in your own browser, on your device, using your browser's local storage (IndexedDB). They are not uploaded to or stored on our servers. The export and import feature produces a file that you own and control.

The one exception is the AI features (described in Section 5 below): when you choose to run an AI action on specific content, that content is sent through our server to our AI provider to be processed, and the result is returned to you. We do not store that content.

5. AI processing of your content

When you use one of REPONA's paid AI features, the specific prompt content or PDF you submit for that action is sent from your browser, through our server, to our AI provider (Anthropic) so it can produce the requested result. This is the only time your content leaves your browser.

We do not store or log the content of these requests. After processing, we keep only a metering record of the token count and cost, as described in Section 3. The content itself is not retained by us.

Anthropic processes this content under its own terms in order to return your result. Content may be retained briefly by the AI provider for service operation and abuse monitoring, in line with its published policies.

6. How we use your personal data

We process your personal data for the following purposes, under the following legal bases (GDPR Article 6):

• To provide the Service. Creating and managing your account, running the features you request, and tracking your credit balance. Legal basis: performance of a contract.
• To take payments. Processing subscriptions, credit top-ups and refunds via Stripe. Legal basis: performance of a contract, and legal obligation (tax and accounting records).
• To communicate with you. Sending essential transactional emails such as sign-up confirmation, password resets and billing notices, and responding to support requests you send us. Legal basis: performance of a contract, and our legitimate interest in responding to enquiries.
• To secure the Service and prevent abuse. Monitoring for fraudulent or abusive use of the AI features and enforcing our Terms. Legal basis: our legitimate interest in protecting the Service, and legal obligation.
• To comply with the law. Responding to lawful requests from regulators, courts and authorities. Legal basis: legal obligation.

7. Service providers

We use a small number of third-party providers to operate REPONA. Each receives only the data it needs and is bound to protect it:

• Supabase (database and authentication hosting): your email, your encrypted password or Google sign-in identity, and your account and subscription metadata.
• Anthropic (AI processing): the prompt or PDF content you submit to an AI feature, for processing only, as described in Section 5.
• Stripe (payments): your email and the card and billing details you enter on Stripe's own secure checkout page. Stripe holds your card data; we never receive it.
• Vercel (hosting): processes the requests to and from the Service as our hosting provider.
• Google (only if you choose "Sign in with Google"): a standard sign-in identity exchange.

We do not sell your personal data, and we do not share it for advertising.

8. International data transfers

Some of our service providers operate infrastructure outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under the GDPR, such as the European Commission's Standard Contractual Clauses, and, where applicable, the recipient's certification under the EU-US Data Privacy Framework.

9. Retention

We keep your personal data only as long as we need it:

• Active accounts. We keep your account data for as long as your account is open.
• Account deletion. When you delete your account, we delete your account data within 30 days, except where we are required by law to keep certain records longer.
• Billing records. Invoices and payment records are retained for at least seven years to meet Dutch tax and accounting obligations.
• Backups. Data may persist briefly in encrypted backups after deletion before those backups roll over.

Because your prompts and collection live in your own browser, deleting them is in your control at any time, by clearing them within REPONA or in your browser's storage settings.

10. Your rights

Under the GDPR, you have the right to:

• access a copy of the personal data we hold about you;
• have us correct personal data we hold about you that is inaccurate or incomplete;
• delete your data ("the right to be forgotten");
• restrict or object to certain processing;
• receive a portable copy of the data you provided to us;
• withdraw any consent you gave us, at any time, without affecting processing done before withdrawal.

To exercise any of these rights, email hello@repona.ai. We will respond within the time limits required by law. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

11. Cookies and browser storage

We keep cookies and storage to the minimum needed to run the Service:

• Authentication cookies (strictly necessary): set to keep you signed in. The Service cannot function without these.
• Local storage (IndexedDB): used to store your prompts and collection in your own browser, as described in Section 4.

We do not use any analytics, advertising or tracking cookies. You can control cookies through your browser settings, but blocking the strictly necessary authentication cookies will prevent you from signing in.

12. Security

We take reasonable technical and organisational measures to protect personal data, including encryption in transit (HTTPS/TLS), encryption of stored data at rest, hashed passwords, row-level security in our database, and restricted access to privileged credentials. No system is perfectly secure, and we cannot guarantee absolute security.

13. Children

The Service is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through the Service before they take effect. Continued use of the Service after a change takes effect means you accept the updated policy.

15. Contact us

Questions, requests or complaints about this policy or your data can be sent to hello@repona.ai.